Module 1 - Working with Time
Topic 1 – Searching with Time
- Understand the_time field and timestamps
- View and interact with the event Timeline
- Use the earliest and latest time modifiers
- Use the bin command with the _time field
Topic 2 – Formatting Time
- Use various date and time eval functions to format time
Topic 3 – Using Time Commands
- Use the timechart command
- Use the timewrap command
Topic 4 – Working with Time Zones
- Understand how time and timezones are represented in your data
- Determine the time zone of your server
- Use strftime to correct timezones in results
Module 2 - Statistical Processing
Topic 1 – What is a Data Series
- Introduce data series
- Explore the difference between single-series, multi-series, and time series data series
Topic 2 – Transforming Data
- Use the chart, timechart, top, rare, and stats commands to transform events into data tables
- Explore search modes and their effect on search results
Topic 3 – Manipulating Data with eval Command
- Understand the eval command
- Explore and perform calculations using mathematical and statistical eval functions
- Perform calculations and concatenations on field values
- Use the eval command as a function with the stats command
Topic 4 – Formatting Data
- Use the rename command
- Use the sort command
Module 3 - Leveraging Lookups and Subsearches
Topic 1 – Using Lookup Commands
- Understand lookups
- Use the inputlookup command to search lookup files
- Use the lookup command to invoke field value lookups
- Invoke geospatial lookups in search
Topic 2 – Adding a Subsearch
- Define subsearch
- Use subsearch to filter results
- Identify when to use subsearch
- Understand subsearch limitations and alternatives
Topic 3 – Using the return Command
- Use the return command to pass values from a subsearch
- Compare the return and fields commands
Module 4 - Search Optimization
Topic 1 – Optimizing Search
- Understand how search modes affect performance
- Examine the role of the Splunk Search Scheduler
- Review general search practices
Topic 2 – Report Acceleration
- Define acceleration and acceleration types
- Understand report acceleration and create an accelerated report
- Reveal when and how report acceleration summaries are created
- Search against acceleration summaries
Topic 3 – Data Model Acceleration
- Understand data model acceleration
- Accelerate a data model
- Use the datamodel command to search data models
Topic 4 – Using the tstats Command
- Explore the tstats command
- Search acceleration summaries with tstats
- Search data models with tstats
- Compare tstats and stats
Module 5 - Enriching Data with Lookups
Topic 1 – What is a Lookup?
- Define a lookup ad the default lookup types
- Lookups and the search-time operation sequence
Topic 2 – Creating Lookups
- Use file-based lookups at search time
- Create (upload, define, configure) a lookup
- Use an automatic lookup at search
Topic 3 – Geospatial Lookups
- Understand geospatial lookups and KMZ/KML files
- Add and define a geospatial lookup
Topic 4 – External Lookups
- Understand external lookups
- Explore the default lookups, external_lookup.py
- Configure external lookups
Topic 5 – KV Store Lookups
- Introduce KV Store lookups
- Configure KV Store lookups
- Compare file-based CSV lookups to KV Store lookups
Topic 6 – Best Practices for Lookups
- Various best practices for using lookups
Module 6 - Data Models
Topic 1 – Introducing Data Model Datasets
- Understand data models
- Add event, search, and transaction datasets to data models
- Identify event objects hierarchy and constraints
- Add fields based on eval expressions to transaction datasets
Topic 2 – Designing Data Models
- Create a data model
- Add root and child datasets to a data model
- Add fields to data models
- Test a data model
- Define permissions for a data model
- Upload/download a data model for backup and sharing
Topic 3 – Creating a Pivot
- Identify benefits of using Pivot
- Create and configure a Pivot
- Visualize a Pivot
- Save a Pivot
- Use Instant Pivot
- Access underlying search for Pivot
Topic 4 – Accelerating Data Model
- Understand the difference between ad-hoc and persistent data model acceleration
- Accelerate a data model
- Describe the role of tsidx files in data model acceleration
- Describe the role of tsidx files in data model acceleration
- Review considerations about data model acceleration
Topic 5 – Enriching Data
- Understand how fields from lookups, calculated fields, field aliases, and field extractions enrich data